This new law will affect how data is used, stored and processed. It applies to any company that stores or processes the data of any EU citizen.

In this week’s podcast, I’m joined by Suzanne Dibble to discuss the impact GDPR will have and what we have to do to prepare for it.

Suzanne is a lawyer.

She has been practicing law for over 20 years and is a specialist in data protection.

Suzanne has worked on major data protection projects with multinational corporations (such as The Virgin Group.) She has also been heralded by The Law Society as an innovative provider of legal services to small businesses.

Suzanne manages the GDPR For Online Entrepreneurs Facebook group. This free group goes into even more detail on the subject than we will have time to go into in this podcast.

What is GDPR?

GDPR is the General Data Protection Regulation from the European Union. It replaces the current data protection laws and draws them all into one, more rigorous framework.

Due to Brexit, the UK is also drafting a UK version of the law that will fall into line with the EU regulations.

Why Are Data Protection Laws Changing?

Over the past twenty years, things have changed. According to Google’s Eric Schmidt, we now create the same amount of data every two days that it took until 2003 to create.

Data is now the world’s most valuable asset. The idea of GDPR is to introduce legislation that reflects the value and importance of data. This means the penalties associated with breaching GDPR will also reflect that.

The maximum penalty for a breach will be €20m or 4% of global turnover – whichever is higher.

At the moment, this highest possible penalty in the UK is £500k. So that maximum penalty is increasing roughly 40x.

But don’t panic. This is the worst-case scenario. It’s very unlikely any small business owner will be fined anything like this.

In fact, it is unlikely you will be fined at all if you make some basic changes and start working towards full compliance.

If someone happens to put in a complaint against your company and the regulators knock on your door, they will be lenient if you can show evidence you have been working towards becoming compliant. At least initially.

A major point to note about the new legislation is it extends the meaning of personal data. It now means ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.’

Si, this means things such as cookies and IP addresses are now in scope.

How Does GDPR Change How We Collect and Use Data?

Say you have a lead magnet. At the moment, the process is:

Opt-in form to receive lead magnet

Collect email address

Send them the report

Promote products to them

Under GDPR, before you process any data, you have to have a legal grounds for doing so.

That legal grounds can be:

Consent – the person has given permission to use their data in that way.

Contract – you have to process a client’s data as part of a contract you have with that client.

Legal obligation – to comply with the law.

Legitimate interest – you have reason to believe they are legitimately interested in what you are offering them unless there is good reason to protect the person’s data which overrides the legitimate interest.

For the most part (as is the case with the lead magnet example above), we will be relying upon consent.

GDPR sets a higher standard for consent than currently exists. It has to be given by a clear, affirmative act, establishing a freely given specific, informed and unambiguous indication of the data subject’s agreement to the processing.

It can be done by written statement (including electronic means) or by oral statement.

This means no more pre-checked boxes and probably means multiple check boxes for different types of products or emails.

You also need to update your privacy policy and link to that policy when people are signing up.

In this case, double opt-in would be a good way of obtaining that two-stage verification, but it is not the only way.

What is Legitimate Interest?

Because this is new legislation, it is not 100% percent clear what legitimate interest covers. No precedent has been set as of now.

But, legitimate interest is where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

What Data Is In Scope And What Data Is Out Of Scope?

Any information that identifies a living individual is in scope. This means email, name, cookies, IP addresses and more.

Although marketing communications are covered by PECR (Privacy and Electronic Communications Regulations), it makes sense to just treat all communications as though it comes under GDPR.

PECR is being brought into line with GDPR although this will not be completed until 2019 at the earliest.

For lead generation, it is fine to send individual emails to prospects. The issue comes if you try to add these prospects to your email system against their will or knowledge.

Privacy Shield and Using Compliant Service Providers

You can only send data outside of the EEA (European Economic Area) to countries that have ‘adequate data privacy laws’.

The US is not considered to have adequate data privacy laws. This is where the EU-US Privacy Shield comes in.

You can send your data to companies registered on the EU-US Privacy Shield as they have self-certified that they comply with the GDPR regulations.

Remember, if you send your data to a company that is outside the EU and they have a data breach, you are liable for that breach in the eyes of the EU.

If you only use companies registered on the Privacy Shield, the regulators are more likely to be lenient.

Does Consent Need To Be Refreshed Regularly?

Yes.

The ICO in the UK suggests consent should be refreshed every two years.

This should probably be via opt-in again.

How Does GDPR Affect Link Building?

The case for link building comes under the grounds of legitimate interest. For example, if you are outreaching to a site that accepts guest posts, then you can state storing their email address is in their interest.

As Suzanne mentioned earlier, prospecting or lead generation is not a problem under GDPR. You can make a case for putting link building under the same umbrella as prospecting.

When using a third-party tool (e.g. Mailshake) for outreach. You have to make sure they are compliant with GDPR otherwise you can be found liable for any breaches.

It can also be a gray area when you add the data from Hunter to Mailshake. At this point, the data is being processed and the person is not expecting to hear from you. Again, this is where the legitimate interest defense comes in.

The main thing is to be sensible, don’t be aggressive and give people an option that makes it easy for them to unsubscribe or not hear from you again.

In terms of storing an unsubscribe/ blacklist for outreach, it is in the interest of the sites who have asked not to be contacted to be stored in a blacklist. This means you can check the current sites against your blacklist before you send an outreach and not annoy people who don’t want to be annoyed.

In terms of data security, it makes sense to have this sheet with personal data password protected.

Simple Steps Towards Compliance

For internet marketers, there are few simple things you can do to get started:

Organize all the personal data you already have

Document where it came from and who you share it with

Assign a legal basis for the storage and processing of that data (consent, contract, legal obligation, etc.)

Review privacy policy and add the new, obligatory information

Email your list and ask for consent to GDPR level

Put systems in place to keep a record of consent

Suzanne can help you with:

A template for the data inventory

Legal basis for processing

New privacy policy template

Email you need to send your list notifying them of the new privacy policy

A new processing agreement if a third party is performing your payroll for example

Hello! I haven’t listened to the podcast yet, so I apologize if you address this during the session, but do U.S.-based websites with the GDPR? All of my sites are .com and hosted in the U.S., but I do get a lot of visitors from the U.K., Germany, and a couple of other European countries. Please let me know!

As always, thank you guys for your terrific podcasts and posts. I *always* learn something when I’m here.

I have a new site and it is focused on the US with no plans to attract EU visitors so I have no interest in complying with EU law. And why in the hell does a law in the EU matter if we do not wish to do business there.
what are we to do? Put up an electronic fence?

Great interview. First I’ve heard of these new regs. I think the only way this applies to me is probably through Mailchimp (even though I only manage about 6 sign-ups per year & don’t remember ever sending out an email yet in 3-4 years!)

WOW, THIS IS SCARY!!! Basically it is opening doors for you and I and others to be victims of cyberbulliers. Everyone who gets angry or upset can now attack you and cause you harm. While I understand if you are compliant you will not be fined but you will come under the spotlight. Does that mean I now need legal advice each time? Great video Mark.

Okay… I have a full understanding of the GDPR stuff now after listening to this podcast. And I understand that I fall under the scope of this law even though I am U.S. based because I have subscribers and website visitors from the EU. But what I haven’t heard and what I don’t understand is this… What the hell is going to happen to me if I don’t comply? Does somebody in the EU have some sort of jurisdiction over me and what I do in the U.S.? Would they potentially come after my account through my email service provider? I know I wouldn’t be subject to fines from another country… my only concern is that my ESP account could get shut down.

At this point – I see no reason to jump through hoops to comply with some other countries laws. I think I’d rather just deal with it when/IF it ever comes to the point that it becomes an issue.

You are right and if you are a small/medium sized business I think there is almost nothing that they will do to you. We’re EU based so we are working through some more concrete steps to comply, but if I was US based I’d maybe look into an updated privacy policy and just make sure that every team member knew to take things seriously (forward complaints to you, remove people who ask etc). If you take those basic steps as a US company and you don’t store massive amounts of sensitive data, I can’t see anyone ever fine you. But it’s worth watching how the law evolves and if / when specific rulings come up.

Hello,
I have a question as to how this is going to affect AFFILIATE MARKETING.
1) When a visitor clicks an affiliate tracking link on our site, that gets stored in a cookie. And later when they buy stuff, Amazon knows we sent them and we get paid. All because of the cookie stored. Does that get affected by the new law? If it does, that would be the death of affiliate marketing.

2) For link building. Suppose we have a personally stored excel file where we store website data, their interests, descriptions, observation about the link targets we want to outreach. That is what Moz recommends, in their Link Building Strategy (to gather data from targets for email outreach customization.) My question is: having such a file is now illegal, correct?

I’m not a lawyer so this insn’t my legal advice, just my interpretation:

1) My understanding is that you may have to ask for consent. However, this is nothing new as the cookie consent laws have been in place in Europe for a long time.
2) My understanding is that link building is a business collaboration event. You aren’t trying to sell your products here, rather collaborate with them (e.g with a guest post). So I don’t think it’s in scope for GDPR.